Digital fingerprints the next privacy invasion?

Every day we leave our digital fingerprints all over the online world. How much of it should be available to police and intelligence services without a warrant?

If Australia accedes to the Council of Europe Convention on Cybercrime as the Government intends, the answer is shiploads. Our politicians seem incapable of balancing our civil liberties against continual demands for more surveillance.

The convention is the first international treaty on crimes committed via the internet, and so far it’s the only binding one. It started as a European initiative in 2001, entered force in July 2004, and since then a total of 43 nations have signed on, including Canada, Japan, South Africa and the US. More than 100 nations are using the convention as an example to help them strengthen their own legislation.

On 30 April 2010 the Australian Government announced its intention to join too. Last month the Attorney-General’s Department kicked off the necessary public consultation. Submissions close next Monday March 14.

Now as more and more of our everyday lives are conducted online, crime has moved there too. The internet’s cross-border nature means that law enforcement agencies need cross-border arrangements. Clearly they need new tools, and the convention contains plenty of good stuff about creating a framework for cooperation, facilitating information exchange and setting up 24/7 mutual-assistance hotlines for investigators.

There’s also quite reasonable requirements like criminalising attacks on internet infrastructure, hacking into systems or disrupting them - although those acts are already crimes in Australia. No-one would disagree with criminalising “content-related offences” when that vague term in the covering notes is attached to the phrase “including child pornography”. And while some might disagree with the convention requiring copyright and trademark infringement to be criminalised, again such things have already been turned into crimes in this country, so it’s not unreasonable for online laws to match.

Indeed, one of the key arguments in favour of acceding to the convention is that it helps apply the same rules to online communications as already apply to traditional telecommunications.

Take the telephone. In Australia, under powers granted by the Telecommunications Act, police can routinely access your telco’s call records - the numbers you called and when. To further invade your privacy and listen to the contents of a phone call requires a warrant signed off by a judge.

Similarly, goes the explanation, under the requirements in the convention’s handy companion document, the European Directive on Data Retention, internet service providers (ISPs) would maintain records of your online communications for later access by law enforcement. This includes matching a specific internet address to the customer using it at the time, records of email sent and received, records of which websites you visited and when, and so on. For the police to access the contents of your email, or see specifically which pages of a website you visited, or monitor live internet traffic - all that would still require a warrant.

“I think people need to realise that there isn’t a great deal of change from the current status quo. Australia as a jurisdiction would be 90 to 95 per cent compliant with Council of Europe recommendations,” cybercrime specialist Nigel Phair told this week’s Patch Monday podcast.

However digital rights advocacy group Electronic Frontiers Australia thinks the convention is a terrible document. Just one concern is that it would criminalise the selling of tools that could be used for cybercrime, yet are often the very same tools used by systems administrators to ensure the security of their networks.

“Do we want to end up in a situation where police are able to get in and monitor the internet activity of any Australian based on an Albanian warrant?” EFA vice-chair Colin Jacobs told ABC Unleashed.

“And we don’t think police have yet made the case that a database of all our communications activity really needs to be kept whether or not we have been suspected of a crime.”

Personally, I’m not convinced all this is such a simple mapping of traditional procedures onto the internet either.

Australia Post doesn’t keep a record of every letter and postcard you send and receive. Libraries don’t record who comes in the read books. Convenience stores don’t record the names of everyone who pops in for milk and a packet of fags. No-one records the names and addresses of people pausing on a street corner to have a chat. Yet now, for the equivalent activities on our digital streets, that’s precisely what is being proposed.

The Government’s attitude to all this can be further divined from three facts.

First, how many times does the Attorney-General’s Department’s discussion paper mention the word privacy? Zero. And while it notes that powers and procedures developed to conform to the convention should provide for “the adequate protection of human rights and liberties”, this point isn’t discussed and further.

Second, the convention requires that the information gathered under ISP data retention be kept for 90 days. The Attorney-General wants it kept for a full year - although it must be said that there’s an argument for that. “Not every law enforcement investigation is kicked off in 90 days, and if you don’t have the retained data often that is critical,” Phair said, who would personally prefer a two-year retention period.

Third, the Government continues to extend the powers of law enforcement and intelligence agencies without public debate and without any counterbalancing extension to the oversight. Only last week, ASIO’s powers were extended again, with The Greens’ attempts to introduce oversight blocked with the now-standard excuse that such measures would “reveal operation details”. The Coalition is no better: they didn’t ask a single question during the entire Senate debate. They didn’t even ask for a cost benefit analysis.

Increasingly, we are simply recording data because we can and because it costs next to nothing, from car number plates using a freeway to the location of mobile phones. Simply because the data is there, law enforcement agencies want access. Sure, it’d be convenient. But in an age when we’re already the safest we’ve ever been and, tabloid beat-ups notwithstanding, crime levels are steadily falling, is the trade-off worth it?